Downloading xxx program contained a virus and was deleted

Bluznvice · Sep 23, 2013

Hello, and thanks in advance for the help.

My wife was working on her computer yesterday trying to delete temp files. She called me and said she couldn't access the internet, only got a popup that looked like an official Windows internet security application scanning for viruses, found several, and said she needed to activate to fix the problems. She had been running Norton, but it expired...don't know how long ago. I deinstalled it while going through this process.

I was not able to download any files from her computer, so downloaded all the Read and Run me first files from another computer onto a thumb drive and loaded them onto her computer. I was able to access the internet on her computer in Safe mode with networking, but any files I tried to download would get the message: xxx contained a virus and was deleted. Also not able to run Windows update or change any settings.

I ran all the programs in Read and Run me first - logs attached. The only problem experience (I think) was an error while extracting MB tools. I received an error that a file couldn't be created. Sorry, I didn't copy which file it was before proceeding. It did appear to run and complete though.

Now, I am able to at least get to the internet without the false Windows virus scanner, but still can't download and files due to the program deleted error. Can't run Windows update either.

Thanks

Kestrel13! · Sep 23, 2013

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Holly\AppData\Local\Google\Desktop\Install\{8b92776e-23a4-c000-182d-3472c49a85a1}\?��?��?��\?��?��?��\???ﯹ๛\{8b92776e-23a4-c000-182d-3472c49a85a1}\GoogleUpdate.exe" >) -> FOUND

[RUN][SUSP PATH] HKCU\[...]\Run : Internet Security (C:\Users\Holly\AppData\Roaming\msecurity.exe [-]) -> FOUND

[RUN][ZeroAccess] HKUS\S-1-5-21-346194235-4039510029-2025529994-1000\[...]\Run : Google Update ("C:\Users\Holly\AppData\Local\Google\Desktop\Install\{8b92776e-23a4-c000-182d-3472c49a85a1}\?��?��?��\?��?��?��\???ﯹ๛\{8b92776e-23a4-c000-182d-3472c49a85a1}\GoogleUpdate.exe" >) -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-346194235-4039510029-2025529994-1000\[...]\Run : Internet Security (C:\Users\Holly\AppData\Roaming\msecurity.exe [-]) -> FOUND

[SERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{8b92776e-23a4-c000-182d-3472c49a85a1}\ \...\???ﯹ๛\{8b92776e-23a4-c000-182d-3472c49a85a1}\GoogleUpdate.exe" < [x]) -> FOUND

[SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{8b92776e-23a4-c000-182d-3472c49a85a1}\ \...\???ﯹ๛\{8b92776e-23a4-c000-182d-3472c49a85a1}\GoogleUpdate.exe" < [x]) -> FOUND

[SERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{8b92776e-23a4-c000-182d-3472c49a85a1}\ \...\???ﯹ๛\{8b92776e-23a4-c000-182d-3472c49a85a1}\GoogleUpdate.exe" < [x]) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.

....and the same for these items on the file tab please.

[ZeroAccess][File] Desktop.ini : C:\Windows\assembly\GAC_32\Desktop.ini [-] --> FOUND

[ZeroAccess][File] Desktop.ini : C:\Windows\assembly\GAC_64\Desktop.ini [-] --> FOUND

[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND

[ZeroAccess][Folder] Install : C:\Users\Holly\AppData\Local\Google\Desktop\Install [-] --> FOUND

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Re run Hitman and have it delete all items under the heading Malware (except C:\MGtools.exe) and also have it delete all Potential Unwanted Programs.

Delete this if you see it:

C:\Users\Holly\AppData\Roaming\msecurity.exe

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Re run TDSSKiller please and attach log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Bluznvice · Sep 23, 2013

Kestrel13,

Thanks, I only got through the first 2 steps and figured I better stop and send an update.

The user control panel in Rogue Killer doesn't really display the findiings the same way as the logs. I was only able to identify the first 2 entries in the log from the control panel and deleted them. Under the files tab I was able to make out each of the entries, but they weren't displayed the same. 4 logs were created during this process and I've attached each.

I re-ran Hitman, but it didn't display any headings indicating either Malware or Potential Unwanted Programs. Just one long list. I didn't see the file msecurity.exe. I deleted everything except MGtools. Log attached.

Kestrel13! · Sep 23, 2013

OK, that's fine. Two more bad entries show in the registry tab:

[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Holly\AppData\Local\Google\Desktop\Install\{8b92776e-23a4-c000-182d-3472c49a85a1}\?��?��?��\?��?��?��\???ﯹ๛\{8b92776e-23a4-c000-182d-3472c49a85a1}\GoogleUpdate.exe" >) -> FOUND

[RUN][ZeroAccess] HKUS\S-1-5-21-346194235-4039510029-2025529994-1000\[...]\Run : Google Update ("C:\Users\Holly\AppData\Local\Google\Desktop\Install\{8b92776e-23a4-c000-182d-3472c49a85a1}\?��?��?��\?��?��?��\???ﯹ๛\{8b92776e-23a4-c000-182d-3472c49a85a1}\GoogleUpdate.exe" >) -> FOUND

Can you get those deleted and then move on with the other instructions please?

Bluznvice · Sep 23, 2013

Kestrel,

I wasn't able to find the 2 files referenced from Rogue Killer. Logs are attached. Somehow the logs just don't match the user panel. Can't seem to attach a screen shot.

TDSSkiller didn't find any threats so I'm guessing that's why it didn't create a log.

MGtools log is attached.

Posting this and I'll give you an update on how it's working.

Bluznvice · Sep 24, 2013

After restarting after the last fixes I was able to download and install Comodo anti-virus and Comodo Firewall. The AV found two threats on installation and I let it remove them. Something to do with a dictionary.

Something still lurking though. I've gotten several alerts from Comodo AV blocking attacks. One of them was desktop.ini which I recall from an earlier cleaning.

Also still can't run Windows Update or change settings. It says that it can't update because the service isn't running. I tried running fixit from Microsoft but it didn't find any errors. Then tried the Windows update troubleshooter. It acknowledged the problem, but couldn't fix it either.

Kestrel13! · Sep 24, 2013

Desktop.ini is not a problem. You just need to "train" comodo. It's a little over aggressive.

OK, as to the Windows Update problem, you should try running this: (Now, it takes a while so go off and do something else....)

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)

Now select the Start Repairs tab.

The click the Start button.

Create a System Restore point if prompted.

On the next screen, click the Unselect All button to first deselect all repairs.

Now select the following repair options:

Reset Registry Permissions

Reset File Permissions

Register System Files

Repair WMI

Repair Windows Firewall

Remove Policies Set By Infections

Repair Winsock & DNS Cache

Repair Proxy Settings

Repair Windows Updates

Set Windows Services To Default Startup

Now on the lower right side check the box to Restart/Shutdown System When Finished

Then make sure the Restart System radio button is enabled.

Shutdown any other programs that you are running now before continuing.

Now click the Start button.

Be patient while the tool repairs the selected items.

It should reboot automatically when finished.

Any better? :confused

Bluznvice · Sep 24, 2013

That did the trick! Seems to be ok now. I'll give it a couple days then resume "normal" operations

Thanks Kestrel!

Kestrel13! · Sep 25, 2013

Yes please. Do report back in a couple days.

Bluznvice · Sep 28, 2013

Hey Kestrel...

Still working through some issues:

1. BD/DVD/CD ROM Drive not stable. After we removed the malware, there was no drive recognized. I ran the supplied Fujitsu diags, and it didn't recognize a drive, but after a re-boot, it was in the system list. Now, it periodically disappears from the system configuration. Not sure why. I continue to run the Fujitsu diags, but it still doesn't recognize a drive. It's weird, I'll open up My Computer, see the drive listed, put in a disc, and the drive disappears. It's gone from the device manager as well. If I re-boot the system, it will generally see the BD ROM drive again. Not sure I have the correct drivers loaded.

2. Unsure about continuing to use Comodo. It's still periodically giving me Malware detection alerts, but no information about what it detected. I've never used Comodo before, so it might just be my lack of familiarity with how to use it.

3. External monitor display quality is poor (fuzzy). I haven't tried to adjust this yet, so it might just be a remnant from running all the malware tools.

4. Various programs won't run. Usually missing some driver. No worries here, all the important stuff was backed up. It's usually the junkware that isn't running.

If you have any tips on the BD ROM issue or Comodo, I'd sure appreciate it.

Thanks!

Kestrel13! · Sep 29, 2013

All that you mentioned there is really topic for the software forum. You can feel free to post there about it.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.

If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:

Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore

What we want you to do is to first disable System Restore to flush restore points some of which could be infected.

Then we want you to Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Downloading xxx program contained a virus and was deleted

Bluznvice Private E-2

Attached Files:

RKreport[0]_S_09222013_204025.txt

mbam-log-2013-09-22 (20-44-17).txt

TDSSKiller.2.9.2.0_22.09.2013_21.10.12_log.txt

HitmanPro_20130922_2140.log

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Bluznvice Private E-2

Attached Files:

RKreport[0]_D_09232013_094402.txt

RKreport[0]_D_09232013_095320.txt

RKreport[0]_S_09232013_092804.txt

RKreport[0]_S_09232013_094847.txt

HitmanPro_20130923_1005.log

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Bluznvice Private E-2

Attached Files:

JRT.txt

RKreport[0]_S_09232013_181422.txt

MGlogs.zip

Bluznvice Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Bluznvice Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Bluznvice Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member